SKELETONKEY

Author	SHA1	Message	Date
leviathan	2b1e96336e	core/host: in_range helper + 13-module migration + 12 more tests (29 total) Three coordinated changes that build on the host_kernel_at_least landed in `1571b88`: 1. core/host gains skeletonkey_host_kernel_in_range(h, lo..., hi...) — a [lo, hi) bounded-interval check for modules that want the 'vulnerable window' semantics directly. Implemented in terms of host_kernel_at_least (so the comparison logic stays in one place). No module uses it yet; available for new modules that want it. 2. 13 modules migrated off the manual if (v->major < X \|\| (v->major == X && v->minor < Y)) { ... } pattern onto if (!skeletonkey_host_kernel_at_least(ctx->host, X, Y, 0)) { ... } One-line replacements, mechanical, no behavior change. Migrated: af_packet2, dirty_pipe, fuse_legacy, netfilter_xtcompat, nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf, overlayfs, overlayfs_setuid, ptrace_traceme, stackrot, vmwgfx. The repo now has zero manual 'v->major < X' patterns — every predates-check reads the same way. 3. tests/test_detect.c expanded from 17 to 29 cases. Adds: Above-fix coverage on h_kernel_6_12 (10 modules previously untested): af_packet, af_packet2, af_unix_gc, netfilter_xtcompat, nft_set_uaf, nft_fwd_dup, nft_payload, stackrot, sequoia, vmwgfx. Ancient-kernel predates coverage on h_kernel_4_4 (2 more cases): nft_set_uaf (introduced 5.1), stackrot (introduced 6.1). Detect-path test coverage now spans most of the corpus that has a testable host-fingerprint gate. Untested modules from here on are either userspace bugs whose detect() doesn't gate on host fields (pwnkit, sudo_samedit, sudoedit_editor), entrybleed (sysfs-direct, no host gate), or the copy_fail_family bridge (no ctx->host integration yet). Verification: Linux (docker gcc:latest, non-root user): 29/29 pass. macOS (local): 31-module build clean, suite reports 'skipped — Linux-only' as designed.	2026-05-22 23:58:38 -04:00
leviathan	36814f272d	modules: migrate remaining 22 modules to ctx->host fingerprint Completes the host-fingerprint refactor that started in `c00c3b4`. Every module now consults the shared ctx->host (populated once at startup by core/host.c) instead of re-doing uname / geteuid / /etc/os-release parsing / fork+unshare(CLONE_NEWUSER) probes per detect(). Migrations applied per module (mechanical, no exploit logic touched): 1. #include "../../core/host.h" inside each module's #ifdef __linux__. 2. kernel_version_current(&v) -> ctx->host->kernel (with the v -> v-> arrow-vs-dot fix for all later usage). Drops ~20 redundant uname() calls across the corpus. 3. geteuid() == 0 (the 'already root, nothing to escalate' gate) -> bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0); This is the key change that lets the unit test suite construct non-root fingerprints regardless of the test process's actual euid. 4. Per-detect fork+unshare(CLONE_NEWUSER) probe helpers (named can_unshare_userns / can_unshare_userns_mount across the corpus) are removed wholesale; their call sites now consult ctx->host->unprivileged_userns_allowed, which was probed once at startup. Removes ~10 per-scan fork()s. Modules touched by this commit (22): Batch A (7): dirty_pipe, dirty_cow, ptrace_traceme, pwnkit, cgroup_release_agent, overlayfs_setuid, and entrybleed (no migration target — KPTI gate stays as direct sysfs read; documented as 'no applicable pattern'). Batch B (7): nf_tables, cls_route4, netfilter_xtcompat, af_packet, af_packet2, af_unix_gc, fuse_legacy. Batch C (8): stackrot, nft_set_uaf, nft_fwd_dup, nft_payload, sudo_samedit, sequoia, sudoedit_editor, vmwgfx. Combined with the 4 modules already migrated (dirtydecrypt, fragnesia, pack2theroot, overlayfs) and the 5-module copy_fail_family bridge, the entire registered corpus now goes through ctx->host. The 4 'fork+unshare per detect()' helpers that existed across nf_tables, cls_route4, netfilter_xtcompat, af_packet, af_packet2, fuse_legacy, nft_set_uaf, nft_fwd_dup, nft_payload, sequoia, cgroup_release_agent, and overlayfs_setuid are now gone — replaced by the single startup probe in core/host.c. Verification: - Linux (docker gcc:latest + libglib2.0-dev): full clean build links 31 modules; tests/test_detect.c: 8/8 pass. - macOS (local): full clean build links 31 modules (Mach-O, 172KB); test suite reports skipped as designed on non-Linux. Subsequent commits can add more EXPECT_DETECT cases in tests/test_detect.c — the host-fingerprint paths in every module are now uniformly testable via synthetic struct skeletonkey_host instances.	2026-05-22 23:43:20 -04:00
leviathan	cdb8f5e8f9	all modules: wrap Linux-only code in #ifdef __linux__ — full macOS build works Every kernel-LPE module that uses Linux-only headers (splice, posix_fadvise, linux/netlink.h, sys/ptrace.h, etc.) now follows the same #ifdef __linux__ pattern the new modules already used: Linux body in the ifdef, stub detect/exploit/cleanup returning SKELETONKEY_PRECOND_FAIL on non-Linux, platform-neutral rule strings + module struct + register fn left outside. 14 modules wrapped: dirty_pipe (already done above), af_packet, af_packet2, cgroup_release_agent, cls_route4, dirty_cow, fuse_legacy, netfilter_xtcompat, nf_tables, nft_fwd_dup, nft_payload, overlayfs, overlayfs_setuid, ptrace_traceme. Several modules previously had ad-hoc partial stubs (af_packet2 faked SIOCSIFFLAGS/MAP_LOCKED, netfilter_xtcompat faked sysv-msg syscalls, the nft_* modules had 3 partial __linux__ islands each, fuse_legacy / nf_tables had inner-only ifdef blocks) — all replaced with the uniform outer-wrap shape from dirty_pipe / dirtydecrypt / fragnesia / pack2theroot. Where a module includes core/kernel_range.h, core/finisher.h, or core/offsets.h, those are now inside the ifdef block as well — silences clangd's "unused-includes" LSP warning on macOS while keeping them present for the real Linux build. No exploit logic, constant, struct, shellcode byte, or rule string was modified — only include placement and ifdef markers. Build verification: macOS (local): make clean && make → Mach-O x86_64, 31 modules registered, --scan reports each Linux-only module as "Linux-only module — not applicable here". Linux (docker gcc:latest + libglib2.0-dev): make clean && make → ELF 64-bit, 31 modules. Exploit code paths unchanged.	2026-05-22 22:58:16 -04:00
leviathan	9593d90385	rename: IAMROOT → SKELETONKEY across the entire project release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details Breaking change. Tool name, binary name, function/type names, constant names, env vars, header guards, file paths, and GitHub repo URL all rebrand IAMROOT → SKELETONKEY. Changes: - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum values, docs, comments) - All "iamroot" → "skeletonkey" (functions, types, paths, CLI) - iamroot.c → skeletonkey.c - modules//iamroot_modules.{c,h} → modules//skeletonkey_modules.{c,h} - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh - Binary "iamroot" → "skeletonkey" - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY - .gitignore now expects build output named "skeletonkey" - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-* - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_* New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow SKELETONKEY block letters) replaces the IAMROOT banner in skeletonkey.c and README.md. VERSION: 0.3.1 → 0.4.0 (breaking). Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0. All 24 modules still register; no functional code changes — pure rename + banner refresh.	2026-05-16 22:43:49 -04:00
leviathan	9d88b475c1	v0.3.1: --dump-offsets tool + NOTICE.md per module release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details The README has been claiming "each module credits the original CVE reporter and PoC author in its NOTICE.md" since v0.1.0, but only copy_fail_family actually shipped one. Fixed. modules/<name>/NOTICE.md (×19 new + 1 existing): per-module research credit covering CVE ID, discoverer, original advisory URL where public, upstream fix commit, IAMROOT's role. iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets via the existing core/offsets.c four-source chain (env → /proc/kallsyms → /boot/System.map → embedded table), then emits a ready-to-paste C struct entry for kernel_table[]. Run once as root on a target kernel build; upstream via PR. Eliminates fabricating offsets — every shipped entry traces back to a `iamroot --dump-offsets` invocation on a real kernel. docs/OFFSETS.md: documents the --dump-offsets workflow. CVES.md: notes the NOTICE.md convention + offset dump tool. iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.	2026-05-16 22:33:43 -04:00
leviathan	541aac6993	Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit Convert ptrace_traceme from 🔵 → 🟢. Real working PoC following Jann Horn's Project Zero issue #1903 technique. Mechanism: 1. fork() — child becomes our traced target via PTRACE_TRACEME 2. child sleeps 500ms (lets parent execve start) 3. parent execve's setuid binary (pkexec / su / passwd / sudo — auto-selected via find_setuid_target()) 4. Kernel elevates parent's creds to root but the stale ptrace_link from step 1 isn't invalidated (the bug) 5. child PTRACE_ATTACH's to the now-privileged parent 6. child PTRACE_POKETEXT's x86_64 shellcode at parent's RIP 7. child PTRACE_DETACH — parent runs shellcode: setuid(0); setgid(0); execve('/bin/sh', ...) → root shell Implementation notes: - x86_64-only (shellcode is arch-specific). ARM/other arch returns IAMROOT_PRECOND_FAIL gracefully. - Shellcode is the canonical 33-byte setuid(0)+execve('/bin/sh') inline asm sequence. - Setuid binary selection: pkexec preferred (almost universal), then su/sudo/passwd as fallbacks. Refuses if none available. - Auto-refuses on patched kernels (re-runs detect() at start). - No cleanup applies — exploit replaces our process image on success. Verified on Debian 6.12.86 (patched): iamroot --exploit ptrace_traceme --i-know → detect() says patched → refuses cleanly. Correct. CVES.md: ptrace_traceme 🔵 → 🟢. 5 detect-only modules remain (cls_route4, nf_tables, netfilter_xtcompat, af_packet, fuse_legacy). Each is 200-400 line msg_msg/sk_buff cross-cache groom — substantial individual commits. Next push or strategic pivot per session priorities.	2026-05-16 20:57:44 -04:00
leviathan	102b117d4e	Phase 7: PTRACE_TRACEME (CVE-2019-13272) + xt_compat (CVE-2021-22555) Two famous 2017-2020-era LPEs to broaden 'THE tool for folks' coverage. Both detect-only initially; exploit ports as follow-ups. ptrace_traceme (CVE-2019-13272 — jannh @ Google P0, Jun 2019): - Famous because works on default-config systems with no user_ns required — locked-down environments were still vulnerable. - kernel_range thresholds: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 / 5.0.20 / 5.1.17 / mainline 5.2+ - Exploit shape (deferred): fork → child PTRACE_TRACEME → parent execve setuid binary → child ptrace-injects shellcode → root. - Auditd: flag PTRACE_TRACEME (request 0) — false positives via gdb/strace; tune by exclusion. netfilter_xtcompat (CVE-2021-22555 — Andy Nguyen @ Google P0): - Bug existed since 2.6.19 (2006) — 15 years of latent vuln. Famous for that age + default-config reachability via unprivileged_userns. - kernel_range thresholds: 4.4.266 / 4.9.266 / 4.14.230 / 4.19.185 / 5.4.110 / 5.10.27 / 5.11.10 / mainline 5.12+ - detect() probes user_ns+net_ns clone; locked-down → PRECOND_FAIL. - Exploit shape (deferred): heap massage via msg_msg + sk_buff cross- cache groom → kernel R/W → cred or modprobe_path overwrite. ~400 lines port from Andy's public exploit.c. - Auditd: unshare + iptables-style setsockopt + msgsnd — combined, the canonical exploit footprint. Both wired into iamroot.c, core/registry.h, Makefile. CVES.md rows added with detailed status. Coverage by year now: 2016: dirty_cow 🟢 2019: ptrace_traceme 🔵 2021: pwnkit, overlayfs, netfilter_xtcompat 🟢/🟢/🔵 2022: dirty_pipe, cls_route4 🟢/🔵 2023: entrybleed 🟢 2024: nf_tables 🔵 2026: copy_fail family (×5) 🟢 Module count: 14. Build clean (no warnings).	2026-05-16 20:47:24 -04:00

7 Commits